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A System and a Meth d f r Authoriadng Processes Operati ns on 

Internet Servers 



BACKGROUND OF THE INVENTION 
Field of the Invention 

The present invention relates generally to network security and in particular to a system 
and a method for authorizing Internet session activities on network servers. 
Background Art 

Prior art of providing security to servers, which are connected to the Internet and allow 
access to their resources, includes sev^al techniques of preventing and restricting die 
access of unauthorized users. Such techniques include using firewalls, secure servers and 
demanding users to identify before granting them access. The main drawback of such 
security methods is that once the users gain access, even if it is a higjily restricted one, 
complex multi server systems find it hard to track the users' activities on the servers and 
prevent the misuse of the servers' resources. 

Executing the users' requests in multi server systems usually requires the initiation of 
many processes on the different servers. In such cases the applications may not obtain 
any information about the processes' ovmers since their processes are initiated by other 
servers and they communicate only with them. In such cases the processes may all be 
owned by a single user ID with low permissions. Such cases make tracking a single 
user's activity impossible and this becomes a major security loophole. 
US Patent No. 6,199,1 13 addresses this problem by establishing a session key for the 
users on their entry into a secured server. The session key is established only for users 

1 



Pnnv nrnviHf^H hv II^PTO frnm the IPW Imtiae Datnba<%d on 01/04/2005 



vvhose identity is authenticated by an authenticating process which includes comparing 
ttie received detmis of their idmtity as given by the browser and the system's database. 
This solution guarantees that only the sessions of autfiorized users may operate on the 
secured server and that users that mans^ge to enter without permission cannot gain access 
to the servers* resources. This may be an effective solution for systems which what to 
ensure that tfieir access restriction are enforced, but does not provide the needs of systems 
which do not operate under the secure system criteria and which are required to be open 
to all users. 

There is therefore a need for a security system that suits the modes of operation of open 
complex systems such as systems operating in multi tier architecture and want to grant 
limited access to all users without allowing exploitation of their resources. 
US Patent Application No. 20020174220 provides a partial solution to this problem. It 
restricts the number of processes that each user may initiate on the servers and thus 
ensures that the system's computing resources are not all captured by a single user. This 
may reduce opportunities for denial of service attacks on the security of a server node, 
but it does not examine the nature of the opmitions which are executed by the uscts. 
In order to allow a system to supervise the activities of its users there is a need for a 
means for limiting the operations of the system's users by monitoring and filtering out 
unauthorized activities. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT 

The present invention is a new system and method for providing network security 
for online servers by tracking the users' activity on tfiem and preventing the occurrences 
of unauthorized events. This invention implements an innovative security approach 
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which focuses on the web servers' environment and operates inside it. The preferred 
embodiment of the present invention functions at the operating system level of the 
servers, it validates that each process on the servers is in Iceeping with a set of rules and 
with the privileges of the users* requests. The system compares between the level and 
scope of permissions given to the requests of the users and the operation done by 
processes that relate to them on the different servers. Whenever incompatibilities or 
inconsistencies are found, the security system filters out the inappropriate process 
operations. 

This method blocks both unauthorized access to resources and prevents the misuse 
of accessible resources. Unauthorized access may include, for instance, attempts of 
unlicensed users to operate within the system whilst misuse of resources may include 
attempts to altar database records by users with read-only permissions or to initiate 
actions which exploit the servers' resources. Prevoiting misuse by users is the most 
significant capacity of the present security system since prior art includes several well 
known solutions for preventing unauthorized users from gaining access into servers and 
n^orks, but once users enter it, it is much more difiicult to monitor their activities and 
this issue remains the blind spot of most of the prevailing security strategies. 

FIG 1 illustrates an example for environments in which the said security system may 
operate. The client 100 connects the system 120 via the internet 110. The system may be 
comprised of a single tier architecture 120a or of a multi tier architecture 120b. While in 
the single tier architecture all facilities 121a, 122a, 123a are run on a single server 120a, 
in multi tier systems 120b the system facilities are divided into several servers 121b, 
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122b, I23b which are interconnected via a local network 12S and cooperate in 
accomplishing tasks. 

Climt users 100 which connect to system 120 initiate action requests in the system 
120 such as gaining access to files or retrieving information irom database. To execute 
such actions the system 120 must create processes in its servers. Complex tasks may 
demand creating more then one process, especially if they are executed on a multi tier 
architecture. 

HG 2 illustrates the user identification process. Tracking the progress of each user is 
achieved using tools which are similar in nature to those used by load balancer 
techniques. Users may connect to the server 120 either by using a unique personalized 
user identifier such as a user login or by using browsing means that do not demand 
identification. Whenever a user login is used, Uie system can easily associates the identity 
of the users to the session IDs that their requests produce. But even when users enter the 
server without yielding personal details, their requests may be traced back to their 
browser through the request's header. Since the users* requests are usually sent 
sequentially, each request contains an individual header. As illustrated in FIG 2, the 
header of a request initiated by the client 100 contains a session ID 210 (the cookie which 
is attached to the header of each request). The security system identifies the session ID 
210, and if for any reason a session ID 210 is not available, the security system creates a 
unique identifier for the session on the request's first appearance. 

In addition, the security system tracks the unique TCP port ID 220 given to the 
request The port ID 220 may be associated with tfie session ID 210 since they are both 
unique identifiers. This pairing allows the security system to identify which session 
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activates each of the processes 230 in system 120. In the case of multi tier systems, where 
every process may create additional processes in a tree hierardiy, using this method 
^ allows the security system to associate a session ID to each server task. In such cases the 
web server 121b may also transfer tasks to the other servers of the system 122b, 123b 
through the network 125. The initial process creates a connection via network 1 25 with 
servers 122b, 123b in ord^* to transfer commands and arguments. It then waits for a 
result through the same connection. In this case, when tasks are transferred from one 
server to the next, the same procedure of correlating the session ID with the processes it 
creates through die socket connection is repeated. This allows the security system to trace 
back the session ID, and through it the identity of its user, for every process in the 
network. 

A block diagram of the preferred embodiment of the present invention is illustrated 
in FIG 3. The security system 300 comprises three main modules. The first is a session 
request identification module 320^ operating on the web server 121. The second is a 
central module 340. which collects the information about the different processes, socket 
connections, port numbers, and session IDs. The information is shared through agents 
installed on the different servers. The central module 340 operates according to a set of 
rules that take into account the collected information about the session ID and its history. 
These rules may be fully configured and managed by the administrator by using the 
security system's administrative tools from a remote management console. The third 
module is die process filt^ 330 which executed the commands given by the central 
module 340 and restricts the operation of processes that are found to be invalid. 
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What is clsumed is: 

1. a security system for preventing unauthorized processes operations within 
network server environment , said system comprised of: 

- agent module installed on each protected server for monitoring 
communication sessions and processes activation; 

- central control module for tracing successive session having the same 
source based on Identifying session header data as revived from the agent 
module; 

- authorization module for checking all processing activation requests for 
determining access authorization based on the identified sessions which are 
related to said processing activation requests in accordance to pre-defined 
rules; 

- filtering module installed on each server for blocking unauthorized 
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